Cannot use Advanced Rest Client with Letsencrypt Websites because throws: sslv3 alert handshake failure

My domain is: https://dev.www.triunfamos.com

I ran this command: I use Advanced Rest Client ( https://install.advancedrestclient.com/install ) and call to my domain

It produced this output:

### The requested URL can't be reached
The service might be temporarily down or it may have moved permanently to a new web address.
140278599439040:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO sslv3 alert handshake failure:../../vendor/node/deps/openssl/openssl/ssl/s23_clnt.c:802:

If I use this website: https://apitester.com/ to call to my URL it works fine
But with this one it fails too: https://client.restlet.com/ throwing the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): ubuntu 16

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.26.1

1 Like

That’s because the default options for the nginx installer plugin is to disable SSLv3.

It is adviced to disable SSLv3 because of security flaws in the protocol. It was deprecated in June 2015 by RFC 7568. In 2014, SSL 3.0 was found to be vulnerable to the POODLE attack that affects all block ciphers in SSL; RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[18]

You could enable SSLv3, but I would strongly advice against it.

The reason restlet.com doesn’t work is probably because they’re using an old version of Java.

Hmm. Somehow I don’t think it’s simply due to SSLv3 - I happen to have Advanced Rest Client installed, and it connects just fine to my own home server, which only speaks TLS 1.2 and of course also uses a Let’s Encrypt certificate. Sure enough though, I get that same error when trying to connect to https://dev.www.triunfamos.com.

opens wireshark

I think the problem might be a mismatch of supported elliptic curves. What is ssl_ecdh_curve set to in your nginx configuration?

1 Like

Well, I tested with OpenSSLs s_client and its -sslv3 option, which refuses to connect to https://dev.www.triunfamos.com/ .

The site only supports secp384r1 but that shouldn’t be a problem.

Actually, the site is configured pretty well: https://www.ssllabs.com/ssltest/analyze.html?d=dev.www.triunfamos.com&hideResults=on

Well, sure, SSLv3 won’t work. But Advanced Rest Client does support TLS 1.2.

1 Like

Useless OpenSSL error message, it is.

1 Like

Maybe it shouldn’t, but I’m looking at the handshake in Wireshark and I’m only seeing secp256r1 being offered by ARC.

1 Like

Thanks people for your support.

I had disabled some time ago SSLv3: https://www.cdn77.com/tls-test?domain=dev.www.triunfamos.com

|TLS 1.3|NO|
|TLS 1.2|YES|
|TLS 1.1|NO|
|TLS 1.0|NO|
|SSLv3|NO|
|SSLv2|NO|

@jmorahan How do I check what is ssl_ecdh_curve set?

uhhh… beyond “grep your nginx config”, I’m not sure, sorry. I’m more of an Apache guy :frowning:

1 Like

I’m a bit confused. What is the next step I need to check or show to you?

@jmorahan
root@profuniv-desa:/etc/nginx# grep ssl_ecdh_curve *
grep: conf.d: Is a directory
grep: geoip: Is a directory
grep: sites-available: Is a directory
grep: sites-available.BAK: Is a directory
grep: sites-enabled: Is a directory
grep: snippets: Is a directory
grep: ssl: Is a directory

try:
grep -r ssl_ecdh_curve /etc/nginx

1 Like

@jmorahan

root@profuniv-desa:/etc/nginx# grep -r ssl_ecdh_curve *
snippets/ssl_letsencrypt.conf:ssl_ecdh_curve secp384r1;

Okay so try editing the file snippets/ssl_letsencrypt.conf and changing that line from:
ssl_ecdh_curve secp384r1;
to:
ssl_ecdh_curve auto;
or possibly just delete the line entirely.

1 Like

Uch, seriously? IMHO that’s a flaw from ARC…

1 Like

changed to ssl_ecdh_curve auto;

root@profuniv-desa:/etc/nginx# nginx -t
nginx: [emerg] Unknown curve name "auto" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed

Suggestion (some sites):
Don’t works: https://www.cdn77.com/tls-test?domain=dev.www.triunfamos.com
DO works: https://www.cdn77.com/tls-test?domain=www.cdimarbella.com
DO works: https://www.cdn77.com/tls-test?domain=www.aulafacil.com (NO letsencript)

Yeah sorry I misread the documentation, auto was added in a later nginx version than the one you’re running. Try just deleting the line entirely.

YOU ARE THE FUCKING MASTER.

It worked by deleting the entire line.

So… the question is: Is the change favorable or worst?

auto only works since nginx 1.11.0.

Try:

ssl_ecdh_curve prime256v1:secp384r1;

That might be the default for your nginx version by the way. The docs say the current default is “auto”, but that wouldn’t be the default of your version obviously. :stuck_out_tongue:

root@profuniv-desa:/etc/nginx# nginx -t
nginx: [emerg] Unknown curve name "prime256v1:secp384r1" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed